Current technologies to deal with malicious code are largely derived from signature based mechanisms. Particular variants of malicious code have a unique ‘signature” that can be generated (once the malicious code has been analyzed), distributed to machines and then used to check against software on a machine. This is the predominant technology to combat worms and viruses, and is increasingly used for other forms of malware.
Signature based mechanisms can be used to scan static (non-running) files and programs, to look for malicious code. They are often also used to dynamically scan programs on startup, or when loaded by other programs (e.g. scan word documents before loading into a word processor). Signature-based mechanisms are weak when the malicious code spreads quickly (it takes time to generate and distribute the signature), when the malicious code varies (either by changing its structure as its spreads, as in a polymorphic virus, or through customization by the malware author), or when the malicious code is rare (such as a customized Trojan). Unfortunately these characteristics are increasingly common in practice.